Search form

Notes on Switzerland and NAT Firewalls

Does Switzerland work with NAT Firewalls? Short answer: Yes, and no, and sometimes. Switzerland knows how to correct for basic Network Address Translation(NAT) firewalls. But many firewall/router boxes make undocumented modifications to the traffic passing through them beyond the minimum changes that NAT requires. Switzerland will detect these modifications and raise an alarm. If you want to test an ISP, rather than a firewall, you may have to disconnect the firewall. Long answer: There were some interesting challenges in building Switzerland. The biggest of these comes in the form of NAT firewalls/routers, which most people have on their home broadband connections. These devices modify the packets traveling through them — NAT stands for "network address translation", and it involves modifying the source and destination information inside IP packets so that multiple computers can be online simultaneously while sharing a single public IP address. Our code knows about NAT, and avoids misconstruing these basic address changes as interference with the underlying traffic. Where things get blurrier is that many consumer oriented NAT firewalls make other kinds of modifications to packets. Often, these changes are inane or benevolent. Sometimes they are malfunctions, and cause disruption to applications (one such malfunction caused quite a stir when some graduate students at the University of Colorado thought that Comcast might have been responsible for it — in fact, it was a NAT router). Sometimes, a modification made by a router could have benevolent intent, but bugs in the implementation mean that it causes problems. For example, we've seen some NAT routers that modify/forge TCP ACK packets (aggressively acknowledging packets that the router has seen but the recipient computer has not). This may be okay if the router reliably retransmits the packets if the client drops them, we've also heard about situations where load balancing devices try to do this and get it wrong. Aside from modifying TCP ACK numbers, we've seen firewalls that:

Switzerland Version Zero is configured to silently ignore those last two modifications, but the others will raise alarms. The upshot of all of this is that if you want to use the current version of switzerland to test an ISP, it's best to bypass your NAT router and plug a PC directly into a cable/DSL modem (in situations where these two functions are performed by a single device, you can often configure it not to act as a NAT router). If you test with a NAT router in place, you are testing the router too. Some NATs are fairly well behaved; for instance, we haven't seen modifications from routers using DD-WRT firwmare (no promises, of course :). If you have one of those, you can probably test your ISP through the NAT, and would only need to get a direct connection to confirm that any spoofed or modified were actually being caused by an intermediary. A long-term development goal for switzerland may be to characterize and study the kinds of modifications that crazy NATs make to packets, and find a way to see past them. For some of the changes we've seen (such as TCP SACK field reordering, MSS changes, and disabling the DNF flag), this is a fairly easy task. The problem is that you can't just ignore something like a forged ACK number, since ACK number modifications could be a sneaky way to interfere with traffic. There may be some ways to work around this, but they were too complicated for our first release.

Related Updates

In an era when email and messaging services are being regularly subject to attacks, surveillance, and compelled disclosure of user data, we know that many people around the world need secure end-to-end encrypted communications tools so that service providers and governments cannot read their messages. Unfortunately, the...

HTTPS Everywhere is a browser plugin for Firefox, Chrome and Opera desktop browsers provided free by the Electronic Frontier Foundation. There's no smartphone equivalent yet, but if a website, such as Facebook or Twitter, is capable of securely connecting to your computer, HTTPS Everywhere will make sure it does.

Spawned from a collaboration between the Electronic Frontier Foundation and the Tor Project, HTTPS Everywhere is a browser extension that makes HTTPS encryption a default standard when visiting sites on the Web, even those with limited encryption. The browser extension is available for several browsers, including Firefox and Chrome.

I installed “HTTPS Everywhere,” created by the Electronic Frontier Foundation and the Tor Project. This tool forces your Web browser to use encrypted Internet connections to any website that will allow it. This prevents hackers – and the National Security Agency – from eavesdropping on your Internet connections.

If you were inspired to support digital civil liberties this afternoon, you may have noticed that EFF's donation pages look different. The information you enter will now wind its way to an EFF-hosted server and populate a local installation of the first-class, open source database management product for nonprofits, ...

The leading nonprofit defending digital privacy, free speech, and innovation.